I've seen some contention around the issue of whether or not wireless connections should be disabled in an environment where a wired domain and unregulated wireless network are both present.

What attack vectors and mitigation methods exist specifically due to to having both network connections active at the same time, more specifically if the default route is set to the wireless? I'm aware of the threats associated with wireless in general terms.

3 Answers
3

Edit (11/14): As far as I know, there are no significant risks to having both a wired and a wireless network connections open at the same time, beyond the risks implied by each one individually.

There are risks with having a machine connected to both an internal-only network and to the Internet: it partly defeats the purpose of having a firewall to separate your internal-only network from the outside Internet. The purpose of a firewall is to have a single chokepoint that controls the security perimeter. If you have a machine that's connected to both the inside and the outside, that machine now becomes part of the security perimeter. For instance, if that machine gets compromised, now your entire internal network is exposed to the attacker. For this reason, it's generally not recommended to connect machines to both networks.

If malware compromises this machine, the malware could set up a route like you mention -- but if malware compromises your machine, it could just directly start attacking your internal network without modifying any routes.

I want to emphasize again the importance of being clear in your mind about which aspect of the networks is relevant. For instance, in this case, I think the "wired + wireless" part is not a concern, but "internal-only + Internet-connected" part is a concern (and "not-under-your-control + under-your-control" would also be a concern). I don't know what you mean by "regulated", so I'm ignoring that aspect.

I don't think there's any need to go around creating/imposing some special restriction on your hosts to block access to wireless while they're connected to a wired network.

There is one mitigation I can mention to you, for consideration. One organization I'm familiar with has two separate internal networks: one network for non-mobile devices, and a second network for mobile devices (laptops, smartphones, etc.). The first network has full access to our internal servers, and only supported wired (not wireless) access. The second network has semi-limited access to some (but not all) internal services. It supports both wired and wireless access. All mobile devices (laptops, etc.) are automatically directed to the second network (even if they connect via Ethernet, they are still connected to the second network). The purpose of this mitigation is to reduce the spread of malware: empirically, sysadmins noticed that people would often take their mobile devices while traveling, get exposed to malware from some other network (e.g., at a hotel that doesn't have our firewalls), get infected, then bring their device back home and connect to one of the internal networks and infect other internal machines. This isolated-network design is intended to slow down the spread of such malware. Today, it might not be as effective or realistic, but it's something you could consider. However, the best way to mitigate your risks will likely depend intimately upon your particular business and your particular situation.

My earlier answer to the original question:
This question is confusing. It seems to me you are confusing/conflating several different concepts:

Administrative control: a network under your organization's control, vs one that is not.

These are independent features. They're not tied to each other. Your question seems to start from a faulty premise: it seems to equate, e.g., wireless with "not under your administrative control and connected to the Internet" while equating wired with "internal-only and under your control". If that is truly what you were thinking, it is a misconception. You can have a wireless network that is either under your administrative control, or not; and is either connected to the external Internet, or is not. You need to analyze the effect of each of these aspects separately.

Each independent axis affects the risk in a different way:

A wireless medium is potentially riskier, because it enables eavesdropping, interception, and message injection by anyone who is within radio range. This risk can be mitigated or eliminated by using proper security, e.g., WPA2 with a strong key.

Internet connectivity adds risk, because there is the potential that people visit a malicious site and get attacked (or otherwise are attacked by malicious entities on the external Internet). This risk can be somewhat mitigated by using firewalls, endpoint protection, and device hardening, but only to a limited extent.

Use of a network outside of your administrative control adds risk.

So, what should you do? You should figure out what your business requirements and needs are. You should identify what the threats and risks associated with the networks are. Then, based upon a cost-benefit analysis, identify controls to mitigate those risks so the risk is at an acceptable level, given your business's requirements and risk tolerance. Saying anything more specific will depend heavily upon your particular organization and your particular situation.

Helpful, thanks. What I'm looking for is some help with the analysis of what kind of threats are created specifically from having both connections active at the same time. I'll revise my question body to reflect this. Any assumptions it looks like I've made are accurate to my situation.
–
Tim BrighamNov 14 '12 at 15:34

I don't know of any risk that is inherent to having 2 connections at a time (any risk where the risk-of-the-whole is greater than the sum of the parts). All risks can be analyzed by separately analyzing the risk from the wired network, and the risk from the wireless network.
–
D.W.Nov 14 '12 at 16:40

Thanks D.W. - that is what I was thinking but I wasn't familiar enough to be sure.
–
Tim BrighamNov 14 '12 at 16:43

If you're not using the wireless network, then it should be disabled. If you're in an environment where you don't want intruders on your network, then it's a good idea to disable your wireless network. If an attacker gets onto your wireless network, the implications are about the same as if he got onto your wired network, since the two are typically bridged.

If you would like to provide wireless access but are afraid for the security of your wired network, then don't directly connect the two; but each on a separate network segment connected only by a properly-configured firewall.

I'm afraid I must disagree with @D.W. I have advised all of my clients to disable Split Tunnelling1. Split tunnelling essentially ensures that high risk traffic will follow the less secure route. Flipping the statement the other way, split tunnelling provides the attacker an easier path to your network. That means you're almost certainly wasting money on the controls & mitigations you're applying to the higher path. (I'm going to assert that unless you're spending a whole lot of $$ on ensuring that the security mechanisms on both routes are in synchrony, then they aren't synchronized).

Close corrollary to that - you've got two interfaces, and I'm going to attack the weaker of those interfaces. Long ago when I cared about denial of service there were a couple that worked only on specific interfaces, or places where the specific configuration of the network interface greatly enabled/inhibited the attack. Two interfaces doubles the chance that I'll find an interface specific attack vector.

At a far simpler level, you've doubled the communications vectors which will come close to doubling the cost of establishing a security perimeter - you've got to implement two security perimeters on two separate network routes, with different mechanisms. The precise cost will depend on how much of the infrastructure is shared.

I'd actually love to have the chance to firewalk this network; I suspect the initial attempts would be confusing, but once I realized what was going on, the dual route would provide a fascinating insight. Some people don't consider that to be an attack vector, since the adversary is merely generating strategic information, but in my opinion your network will be administered by the most knowledgeable administrator - if you yield the strategic high ground, your adversary may replace you as the network admin.

You asked for attack vectors, not practical attack vectors, so I will provide a couple from the more esoteric realms of theory. These attacks would probably only be employed by targeted attackers, not by opportunistic attackers.

You're creating a number of covert channels; off the top of my head I'm not sure how I'd exploit those covert channels, and I have to admit that I'm not aware of any significant attacks on covert channels in the real world.

I suspect that there is an opportunity to bypass your security mechanisms (Intrusion Detection Systems) through clever fragmentation of packets. If I split my attack into tiny fragments, wrap each fragment in a packet and transmit the packets alternately on each interface, then I can arrange for them to be reassbled on the far end. Depending on the exact architecture of your IDS, the IDS may never see the attack signature. (this is a variation of known fragmentation attacks).

I need more information about your proposed scenario before I can go further than that.